Site-to-site IPSec VPN between VPNaaS (SIM-Cloud) and pfSense router (remote office)

Description

Consider the configuration of the IPSec site-to-site VPN connection between the VPNaaS, on the cloud infrastructure side, and the pfSense-based router on the side of the remote office.
Both routers have real IP addresses on WAN interfaces, i.e. they do not use NAT.
This article contains configuration examples using a management interface (GUI)

Initial conditions

  • Both nodes between which the VPN tunnel is to be built have real IP addresses.
  • Site A is the cloud-based VPNaaS provided by SIM-Cloud
  • Site B is the client’s infrastructure, based on pfSense.
  • Each site has its own private subnetwork:
    • Site “A” - 10.5.4.0/24
    • Site “B” - 192.168.255.0/24
  • VPNaaS version: 12.0.5
  • pfSense version: CE-2.4.4-RELEASE-p3-amd64

Warning

Depending on the OS version of the router or software, subsequent configuring may vary.

Note

To set up a VPN connection, the following required conditions must be satisfied:

  • Network availability between routers:

    • Protocol: UDP, port 500 (for IKE, to manage encryption keys).
    • Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode).
    • Protocol: ESP, value 50 (for IPSEC).
    • Protocol: AH, value 51 (for IPSEC).
  • The firewall rules must not block network traffic between the routers and the private subnetworks.

  • Private subnetworks that will be connected by means of IPSec must be different and must not include each other.

“Summary table”
VPN Router VPN Peer IP Private Network Private Network GW IP Private Network Host IP
Site “A” (VPNaaS) 156.67.54.218 10.5.4.0/24 10.5.4.1/32 10.5.4.7
Site “B” (pfSense) 156.67.53.177 192.168.255.0/24 192.168.255.22/32 192.168.255.29

In this example the initial configuration of the secure IPsec site-to-site VPN connection is carried out. To do this, we link the private networks 10.5.4.0/24 and 192.168.255.0/24, situated behind the routers.

Site A configuration (VPNaaS)

The VPNaaS is configured in accordance with the instructions:

A1. Configure IKE Policy. For this step the following parameters are used:

“IKE Policy”
Name ikepolicy
Authorization algorithm sha1
Encryption algorithm 3des
IKE version v2
Lifetime value for IKE keys 86400
Perfect Forward Secrecy group5
IKE Phase1 negotiation mode main

A2. Configure IPSec Policy. For this step the following parameters are used:

“IPsec Policy”
Name ipsecpolicy
Authorization algorithm sha1
Encapsulation mode tunnel
Encryption algorithm 3des
Lifetime value for IKE keys 3600
Perfect Forward Secrecy group5
Transform Protocol esp

A3. Configure VPN service. For this step the following parameters are used:

“VPN service”
Name VPNservice
Router Select from list of cloud project routers

A4. Configure Endpoint Groups. For this step the following parameters are used:

“Endpoint Groups”
Endpoint group name Type Value
local_epg SUBNET 10.5.4.0/24
remote_epg CIDR 192.168.255.0/24

A5. Configure IPsec site connection. For this step the following parameters are used:

“IPsec site connection”
Name ipsecsiteconn
VPN service associated with this connection VPNservice
Endpoint group for local subnet(s) local_epg
IKE policy associated with this connection ikepolicy
IPsec policy associated with this connection ipsecpolicy
Peer gateway public IPv4/IPv6 Address or FQDN 156.67.53.177
Peer router identity for authentication (Peer ID) 156.67.53.177
Endpoint group for remote peer CIDR(s) remote_epg
Pre-Shared Key (PSK) string Baejii9ahwoo
MTU 1500

A6. Once all these changes have been made, it can be seen that the IPsec site connection has been successfully created and has the status ‘Down’. When the tunnel is configured at the other end and successfully established, this status changes to ‘Active’.

Site B configuration (pfSense)

Guidance for configuring the VPN on the pfSense software is taken from the original chapter from the software manufacturer - “Configuring a Site-to-Site IPsec VPN”.

B1. Configuring the VPN IPsec tunnel. Phase 1

Go to ‘VPN > IPsec’ menu and press ‘+ Add P1’ on the ‘Tunnels‘ tab.
The following parameters are to be used:
General Information
Disabled Unchecked To enable tunnel to work, leave unchecked
Key Exchange version V2 Must match the version specified in the VPNaaS
Internet Protocol IPv4  
Interface WAN An interface facing the Internet network must be selected
Remote gateway 156.67.54.218 In this case, the public IP address of the VPNaaS
Description VPNaaS Description
Phase 1 Proposal (Authentication)
Authentication method Mutual PSK Use Pre-shared Key
My identifier My IP address Simple identification if using a fixed IP
Peer identifier Peer IP address Simple identification if using a fixed IP
Pre-Shared Key Baejii9ahwoo Random characters, must be same as the sequence entered at the other end
Phase 1 Proposal (Encryption Algorithm)
Encryption algorithm / Algorithm 3DES Must match the version specified in the VPNaaS
Encryption algorithm / Hash SHA1 Must match the version specified in the VPNaaS
Encryption algorithm / DH group 5 Must match the version specified in the VPNaaS
Lifetime 86400 Must match the version specified in the VPNaaS
Advanced Options
Disable Rekey Unchecked Re-request key if action times out
Disable Reauth Unchecked For IKEv2 only re-authenticate peer on rekeying
Dead Peer Detection Enabled Leave settings as default

Save changes by clicking the ‘Save‘ button.

B2. Configuring the VPN IPsec tunnel. Phase 2

Go to the ‘VPN > IPsec’ menu in the ‘Tunnels‘ tab. After pressing the ‘+ Show Phase-2 entries’ button an empty list appears; here press ‘+ Add P2’ to add a record for ‘Phase 2’.
The following parameters are to be used:
General Information
Disabled Unchecked To enable tunnel to work, leave unchecked
Mode Tunnel IPv4 Select Tunnel mode
Local Network / Type LAN subnet Route the local LAN subnet
Remote Network / Type Network Route a remote network
Remote Network / Address 10.5.4.0/24 The remote LAN subnet
Description Локальная сеть в VPNaaS Description
Phase 2 Proposal (SA/Key Exchange)
Protocol ESP Select ESP for encryption
Encryption algorithms 3DES Must match the version specified in the VPNaaS
Hash algortihms SHA1 Must match the version specified in the VPNaaS
PFS Key group 5(1536bits) Must match the version specified in the VPNaaS
Lifetime 3600 Must match the version specified in the VPNaaS

Save your changes by clicking ‘Save’ and adopt them by clicking ‘Apply changes’.

B3. Activating the VPN IPsec tunnel.

To activate the IPsec connection go to the ‘VPN > IPsec’ menu in the ’Tunnels’ tab.
Click the Restart Service pictogram:
../../../_images/vpn_ipsec_restart.png

B4. Add rules to the firewall to allow traffic to pass through the IPsec tunnel to our local network.

To do this, go to the ‘Firewall > Rules’ menu in the ‘IPsec’ tab and add the rule according to the table:

“Edit IPsec Firewall rules”
Action Interface Address Family Protocol Source Destination Description
Pass IPsec IPv4 any any LAN net Allow IPsec traffic to LAN net

Save the rule by clicking Save and adopt it by clicking ‘Apply changes’.

Tunnel function check

When these changes are complete the VPN tunnel should be established and traffic between the local networks should be able to flow through it.
This can be verified with a ping command between the hosts on opposite local networks.

Note

If the tunnel is not established, restart the VPN service from both sides.

  • To check the tunnel status in pfSense, go to the ‘Status > IPsec’ menu in the ‘Overview‘ tab. Click the button ‘Show child SA entries’ to see the details for ‘Phase 2‘.
  • The status of the IPsec site connection in the VPNaaS has changed to Active.